-
Notifications
You must be signed in to change notification settings - Fork 20.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML style comment breaks script #4904
Comments
Thanks for the report. The purpose of this regex is to both clean HTML comments and CDATA sections in XML documents, e.g.: <script>
<![CDATA[
console.log("<");
]]>
</script> HTML comments themselves should not be an issue as ECMAScript now requires HTML-style comment delimiters to also serve as JS comment ones; a relevant test case from Compat Tables: --> A comment
<!-- Another comment
var a = 3; <!-- Another comment
return a === 3; Unfortunately, IE 11 doesn't support this feature. 😞 Using regexes to parse JS is always going to have edge cases, we've learned that the hard way when we had to release jQuery 3.5. However, we need to cut out CDATA & HTML comments to be able to execute inline scripts that may contain them and using a full parser would be too slow & huge. If there's any other way to remove CDATA & HTML comments without hitting issues like this one, we'd gladly replace the current implementation. |
Hmm, since the spec requires |
Looking at it again, it seems we could skip using I also don't see a point of having the I'll submit a PR. |
I'm thinking about making the fix for IE just for the There is some risk some tools will still generate script tags like that and the removal of that logic would break those scenarios but the replacement itself is not and cannot be ideal and there will always be cases it cannot match like HTML comments in the middle of a script. Trying to not mess with the content before processing it seems to be a golden standard to prevent XSS issues (apart from more substantial solutions like CSP). |
Here's a good explanation of why HTML comments, JS comments & CDATA markers are sometimes used together in weird combinations: https://www.sitepoint.com/community/t/cdata-comment/2072/7. |
Another update: while IE doesn't conform to the spec in regular scripts or in We still need to leave the CDATA part in 3.x as getting rid of that would be a breaking change but we can remove it in 4.x without breaking handling of HTML comments in HTML documents or CDATA in XHTML ones even in IE. |
When evaluating scripts, jQuery strips out the possible wrapping HTML comment and a CDATA section. However, all supported browsers are already doing that when loading JS via appending a script tag to the DOM which is how we've been doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g. it just stripped the `<!--` and `-->` markers, respectively at the beginning or the end of the script contents. However, browsers are also stripping everything following those markers in the same line, treating them as single-line comments delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead of fixing the jQuery logic, just let the browser do its thing. We still need to strip CDATA sections for backwards compatibility. This shouldn't be needed as in XML documents they're already not visible when inspecting element contents and in HTML documents they have no meaning but we're preserving that logic for backwards compatibility. This will be removed completely in 4.0. Fixes jquerygh-4904
When evaluating scripts, jQuery strips out the possible wrapping HTML comment and a CDATA section. However, all supported browsers are already doing that when loading JS via appending a script tag to the DOM which is how we've been doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g. it just stripped the `<!--` and `-->` markers, respectively at the beginning or the end of the script contents. However, browsers are also stripping everything following those markers in the same line, treating them as single-line comments delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead of fixing the jQuery logic, just let the browser do its thing. We also used to strip CDATA sections. However, this shouldn't be needed as in XML documents they're already not visible when inspecting element contents and in HTML documents they have no meaning. We've preserved that behavior for backwards compatibility in 3.x but we're removing it for 4.0. Fixes jquerygh-4904
PRs to:
|
When evaluating scripts, jQuery strips out the possible wrapping HTML comment and a CDATA section. However, all supported browsers are already doing that when loading JS via appending a script tag to the DOM which is how we've been doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g. it just stripped the `<!--` and `-->` markers, respectively at the beginning or the end of the script contents. However, browsers are also stripping everything following those markers in the same line, treating them as single-line comments delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead of fixing the jQuery logic, just let the browser do its thing. We also used to strip CDATA sections. However, this shouldn't be needed as in XML documents they're already not visible when inspecting element contents and in HTML documents they have no meaning. We've preserved that behavior for backwards compatibility in 3.x but we're removing it for 4.0. Fixes gh-4904 Closes gh-4906
When evaluating scripts, jQuery strips out the possible wrapping HTML comment and a CDATA section. However, all supported browsers are already doing that when loading JS via appending a script tag to the DOM which is how we've been doing `jQuery.globalEval` since jQuery 3.0.0. jQuery logic was imperfect, e.g. it just stripped the `<!--` and `-->` markers, respectively at the beginning or the end of the script contents. However, browsers are also stripping everything following those markers in the same line, treating them as single-line comments delimiters; this is now also mandated by ECMAScript 2015 in Annex B. Instead of fixing the jQuery logic, just let the browser do its thing. We still need to strip CDATA sections for backwards compatibility. This shouldn't be needed as in XML documents they're already not visible when inspecting element contents and in HTML documents they have no meaning but we're preserving that logic for backwards compatibility. This will be removed completely in 4.0. Fixes gh-4904 Closes gh-4905 Ref gh-4906
Michał, thank you for the quick resolution and problem clarification! |
Description
$.append fails when I try to append script element with HTML style comment.
There is no errors when I try to do the same thing using vanila JS:
When I do it using jQuery:
The root cause:
The domManip function does RegExp replacement before calling DOMEval and removes <!-- and -->:
jquery/src/manipulation.js
Line 30 in a684e6b
jquery/src/manipulation.js
Line 164 in a684e6b
Link to test case
https://codepen.io/ovarn/pen/vYmgjzP (open browser console to see the error)
The text was updated successfully, but these errors were encountered: